|
 |
24a42c |
From 153c0154050a111fd7e5bcf4a685f906a1dea737 Mon Sep 17 00:00:00 2001
|
|
|
24a42c |
From: Jose Castillo <jcastillo@redhat.com>
|
|
|
24a42c |
Date: Wed, 10 Mar 2021 15:33:50 +0100
|
|
|
24a42c |
Subject: [PATCH] [ds] Mask password and encription keys in ldif files
|
|
|
24a42c |
|
|
|
24a42c |
Both /etc/dirsrv/slapd*/dse.ldif{,.startOK} files contain
|
|
|
24a42c |
sensitive information :
|
|
|
24a42c |
- all the nsSymmetricKey entries : symmetric encryption key
|
|
|
24a42c |
- nsslapd-rootpw : the admin password's hash
|
|
|
24a42c |
|
|
|
24a42c |
This patch masks these entries in the files we collect.
|
|
|
24a42c |
|
|
|
24a42c |
Resolves: #2442
|
|
|
24a42c |
|
|
|
24a42c |
Signed-off-by: Jose Castillo <jcastillo@redhat.com>
|
|
|
24a42c |
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
|
|
24a42c |
---
|
|
|
24a42c |
sos/report/plugins/ds.py | 18 ++++++++++++++++++
|
|
|
24a42c |
1 file changed, 18 insertions(+)
|
|
|
24a42c |
|
|
|
24a42c |
diff --git a/sos/report/plugins/ds.py b/sos/report/plugins/ds.py
|
|
|
24a42c |
index f4d68d6e..d467dc89 100644
|
|
|
24a42c |
--- a/sos/report/plugins/ds.py
|
|
|
24a42c |
+++ b/sos/report/plugins/ds.py
|
|
|
24a42c |
@@ -74,4 +74,22 @@ class DirectoryServer(Plugin, RedHatPlugin):
|
|
|
24a42c |
|
|
|
24a42c |
self.add_cmd_output("ls -l /var/lib/dirsrv/slapd-*/db/*")
|
|
|
24a42c |
|
|
|
24a42c |
+ def postproc(self):
|
|
|
24a42c |
+ # Example for scrubbing rootpw hash
|
|
|
24a42c |
+ #
|
|
|
24a42c |
+ # nsslapd-rootpw: AAAAB3NzaC1yc2EAAAADAQABAAABAQDeXYA3juyPqaUuyfWV2HuIM
|
|
|
24a42c |
+ # v3gebb/5cvx9ehEAFF2yIKvsQN2EJGTV+hBM1DEOB4eyy/H11NqcNwm/2QsagDB3PVwYp
|
|
|
24a42c |
+ # 9VKN3BdhQjlhuoYKhLwgtYUMiGL8AX5g1qxjirIkTRJwjbXkSNuQaXig7wVjmvXnB2o7B
|
|
|
24a42c |
+ # zLtu99DiL1AizfVeZTYA+OVowYKYaXYljVmVKS+g3t29Obaom54ZLpfuoGMmyO64AJrWs
|
|
|
24a42c |
+ #
|
|
|
24a42c |
+ # to
|
|
|
24a42c |
+ #
|
|
|
24a42c |
+ # nsslapd-rootpw:********
|
|
|
24a42c |
+
|
|
|
24a42c |
+ regexppass = r"(nsslapd-rootpw(\s)*:(\s)*)(\S+)([\r\n]\s.*)*\n"
|
|
|
24a42c |
+ regexpkey = r"(nsSymmetricKey(\s)*::(\s)*)(\S+)([\r\n]\s.*)*\n"
|
|
|
24a42c |
+ repl = r"\1********\n"
|
|
|
24a42c |
+ self.do_path_regex_sub('/etc/dirsrv/*', regexppass, repl)
|
|
|
24a42c |
+ self.do_path_regex_sub('/etc/dirsrv/*', regexpkey, repl)
|
|
|
24a42c |
+
|
|
|
24a42c |
# vim: set et ts=4 sw=4 :
|
|
|
24a42c |
--
|
|
|
24a42c |
2.26.3
|
|
|
24a42c |
|